CVE-2016-2105
HIGH severity · CVSS 7.5 · Integer overflow
7.5CVSS HIGH
Summary
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactNone
Integrity impactNone
Availability impactHigh
Exploit probability (EPSS)40%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10759Advisory
- http://lists.apple.com/archives/security-announce/2016/Jul/msg00000.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183457.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183607.htmlAdvisory
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184605.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00001.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00008.htmlAdvisory
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00010.htmlAdvisory